Merge pull request #304 from yetanalytics/webserver-sec-updates

Webserver + Security dependency updates
yetanalytics · Jun 27, 2023 · 244e57d · 244e57d
2 parents 0eb2767 + 41895a2
commit 244e57d
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 108 deletions.
diff --git a/.github/workflows/nvd.yml b/.github/workflows/nvd.yml
@@ -6,23 +6,11 @@ on:
 
 jobs:
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.4
+    uses: yetanalytics/workflow-nvd/.github/workflows/nvd-scan.yml@v1
     with:
-      nvd-clojure-version: "2.9.0"
+      nvd-clojure-version: "3.3.0"
       classpath-command: "clojure -Spath -Adb-sqlite:db-postgres"
       nvd-config-filename: ".nvd/config.json"
-
-  notify_slack:
-    runs-on: ubuntu-latest
-    needs: nvd_scan
-    if: ${{ always() && (needs.nvd_scan.result == 'failure') }}
-    steps:
-      - name: Notify Slack SQL LRS NVD Scan Reporter
-        uses: slackapi/slack-github-action@v1.23.0
-        with:
-          payload: |
-            {
-              "run_link": "https://github.com/yetanalytics/lrsql/actions/runs/${{ github.run_id }}"
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      notify-slack: true
+    secrets:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,9 +4,9 @@ on: push
 
 jobs:
   nvd_scan:
-    uses: yetanalytics/actions/.github/workflows/nvd-scan.yml@v0.0.4
+    uses: yetanalytics/workflow-nvd/.github/workflows/nvd-scan.yml@v1
     with:
-      nvd-clojure-version: "2.9.0"
+      nvd-clojure-version: "3.3.0"
       classpath-command: "clojure -Spath -Adb-sqlite:db-postgres"
       nvd-config-filename: ".nvd/config.json"
 

diff --git a/.nvd/suppression.xml b/.nvd/suppression.xml
@@ -1,69 +1,11 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
+    <!-- The FP affects the Golang, not Java, version of msgpack -->
     <suppress>
         <notes><![CDATA[
-        file name: core.async-1.5.648.jar
+        file name: msgpack-0.6.12.jar
         ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.clojure/core\.async@.*$</packageUrl>
-        <cpe>cpe:/a:async_project:async</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        file name: jetty-io-9.4.48.v20220622.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.eclipse\.jetty/jetty\-io@.*$</packageUrl>
-        <vulnerabilityName>CVE-2022-2191</vulnerabilityName>
-    </suppress>
-    <!-- The next 2 are false positives on clj/cljs priority map -->
-    <suppress>
-        <notes><![CDATA[
-        file name: cljs-priority-map-1.2.1.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/tailrecursion/cljs\-priority\-map@.*$</packageUrl>
-        <cpe>cpe:/a:priority-software:priority</cpe>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        file name: data.priority-map-1.1.0.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.clojure/data\.priority\-map@.*$</packageUrl>
-        <cpe>cpe:/a:priority-software:priority</cpe>
-    </suppress>
-    <!-- The following FP will be addressed in DependencyCheck v7.4.1 -->
-    <suppress base="true">
-        <notes><![CDATA[
-        FP per issue #5121 - fix for commons
-        ]]></notes>
-        <packageUrl regex="true">^(?!pkg:maven/commons-net/commons-net).*$</packageUrl>
-        <cpe>cpe:/a:apache:commons_net</cpe>
-    </suppress>
-    <!-- The following are FPs since the CVE affects java-json which is not a dep -->
-    <suppress>
-        <notes><![CDATA[
-        file name: jackson-core-2.14.0-rc1.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-core@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        file name: jakarta.json-2.0.1.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.glassfish/jakarta\.json@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        file name: javax.json-1.0.4.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/org\.glassfish/javax\.json@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
-    </suppress>
-    <suppress>
-        <notes><![CDATA[
-        file name: jsonld-java-0.13.4.jar
-        ]]></notes>
-        <packageUrl regex="true">^pkg:maven/com\.github\.jsonld\-java/jsonld\-java@.*$</packageUrl>
-        <cve>CVE-2022-45688</cve>
+        <packageUrl regex="true">^pkg:maven/org\.msgpack/msgpack@.*$</packageUrl>
+        <cve>CVE-2022-41719</cve>
     </suppress>
 </suppressions>
diff --git a/deps.edn b/deps.edn
@@ -24,28 +24,17 @@
   com.zaxxer/HikariCP                      {:mvn/version "5.0.0"
                                             :exclusions  [org.slf4j/slf4j-api]}
   ;; Pedestal and Jetty webserver deps
-  io.pedestal/pedestal.jetty
-  {:mvn/version "0.5.10"
-   :exclusions
-   [org.eclipse.jetty/jetty-server
-    org.eclipse.jetty/jetty-servlet
-    org.eclipse.jetty.alpn/alpn-api
-    org.eclipse.jetty/jetty-alpn-server
-    org.eclipse.jetty.http2/http2-server
-    org.eclipse.jetty.websocket/websocket-api
-    org.eclipse.jetty.websocket/websocket-servlet
-    org.eclipse.jetty.websocket/websocket-server]}
-  org.eclipse.jetty/jetty-server           {:mvn/version "9.4.51.v20230217"}
-  org.eclipse.jetty/jetty-servlet          {:mvn/version "9.4.51.v20230217"}
-  org.eclipse.jetty.alpn/alpn-api          {:mvn/version "1.1.3.v20160715"}
-  org.eclipse.jetty/jetty-alpn-server      {:mvn/version "9.4.51.v20230217"}
+  io.pedestal/pedestal.jetty               {:mvn/version "0.6.0"}
   org.eclipse.jetty/jetty-alpn-java-server {:mvn/version "9.4.51.v20230217"}
-  org.eclipse.jetty.http2/http2-server     {:mvn/version "9.4.51.v20230217"}
   ;; Security deps
-  buddy/buddy-core                         {:mvn/version "1.10.1"}
-  buddy/buddy-sign                         {:mvn/version "3.4.1"}
-  buddy/buddy-hashers                      {:mvn/version "1.8.1"}
-  less-awful-ssl/less-awful-ssl            {:mvn/version "1.0.6"}
+  buddy/buddy-core    {:mvn/version "1.11.418"
+                       :exclusions [org.bouncycastle/bcprov-jdk18on]}
+  buddy/buddy-sign    {:mvn/version "3.4.1"
+                       :exclusions [buddy/buddy-core]}
+  buddy/buddy-hashers {:mvn/version "2.0.162"
+                       :exclusions [buddy/buddy-core]}
+  org.bouncycastle/bcprov-jdk18on {:mvn/version "1.75"}
+  less-awful-ssl/less-awful-ssl   {:mvn/version "1.0.6"}
   ;; Yet Analytics deps
   com.yetanalytics/lrs
   {:mvn/version "1.2.15"
@@ -62,7 +51,8 @@
                  org.clojure/clojurescript]}
   com.yetanalytics/pedestal-oidc
   {:mvn/version "0.0.8"
-   :exclusions  [org.clojure/clojure]}}
+   :exclusions  [org.clojure/clojure
+                 buddy/buddy-sign]}}
  :aliases
  {:db-sqlite
   {:extra-paths ["src/db/sqlite"]

diff --git a/src/test/lrsql/lrs_test.clj b/src/test/lrsql/lrs_test.clj
@@ -29,13 +29,9 @@
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 
 (defn- remove-props
-  "Remove properties added by `prepare-statement`."
+  "Remove properties added by `lrsql.util.statement/prepare-statement`."
   [statement]
-  (-> statement
-      (dissoc "timestamp")
-      (dissoc "stored")
-      (dissoc "authority")
-      (dissoc "version")))
+  (dissoc statement "timestamp" "stored" "authority" "version"))
 
 (defn get-ss
   "Same as `lrsp/-get-statements` except that `remove-props` is applied